Skip to main content

Working With HMAC Payloads

If you have enabled a secret key to generate an HMAC digest, a special header will be sent with all of your Webhook payloads. This header is X-Nexus-Webhook-Signature. It can be used to ensure that the message you receive is in fact what was originally generated.

For ease of getting you up and running with webhooks using HMAC, here is an example express based node.js script that can be used to verify that the payload you receive is what was originally sent.


const express = require('express');
const app = express();
const bodyParser = require('body-parser');
const crypto = require('crypto');
const secretKey = 'mysecretkey';
app.use(bodyParser.json());'/', function(req, res) {
  const body = req.body;
  const signature = req.headers['x-nexus-webhook-signature'];
  var hmacDigest = crypto.createHmac("sha1",
  console.log('Webhook received');
  console.log('Headers: ' + JSON.stringify(req.headers));
  console.log('Body: ' + JSON.stringify(req.body));
  console.log('HmacDigest: ' + hmacDigest);
  console.log('Signature: ' + signature);
app.listen(3000, function() {
console.log('Server running on port 3000.');

This script can also be used for testing as an alternative to RequestBin.